SUMMARY: Loopback filesystem and SUID

From: Jesús Cea Avión (jcea@argo.es)
Date: Tue Aug 25 1998 - 15:35:52 CDT


Original Question at the end.

Thanks to:

Casper Dik <casper@holland.Sun.COM>
Kevin.Sheehan@uniq.com.au (Kevin Sheehan {Consulting Poster Child})

A "man lofs" states *clearly* that except "read only", all atributtes
are inherited from the underlying filesystem. So the lofs can´t be
"no-SUID" if the underlying filesystem is "SUID-enabled".

Casper also says (and I tried it :) that you can't erase or create new
files, but it's perfectly possible to modify the existing ones:

  "Lofs doesn't create new vnodes for the loopbackl files, only for
   the directories (efficiency reasons).

   At the per-file basis, "ro" and "nosuid" cannot be implemented as
   you'll only see the files from the underlying filesystem."

In this way, "lofs" utility is severely decreased :(. That's my
opinion...

Casper suggest, nevertheless, to use NFS partitions in order to mount
them as Read-Only + NOSUID. A valid suggestion if you can mount them two
times on different directories; one as RW and the other as RO...

With these restrictions, "lofs" is useful, yet, if CHROOT security is
enough for you, and you use "lofs" *ONLY* to avoid file replication
inside the CHROOT environmment.

> I'm trying to mount a lookback filesystem in order to improve my site
> security (lofs+chroot). I can do a "mount -r dir_to_mount
> new_location" to mount it as Read-Only.
>
> Nevertheless I can´t find the way to mount the lofs as "noSUID". At
> least no if the underlying partition is "SUID enabled". Anybody can
> help me?. And yes, the underlying partition must be mounted as
> read-write and SUID. The loopback can be set to read-only but I've
> can't make it no-SUID.
>
> I'll sumarize.
>
> PS: lofs=Loopback Filesystem

-- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea@argo.es http://www.argo.es/~jcea/ _/_/    _/_/  _/_/    _/_/  _/_/
                                      _/_/    _/_/          _/_/_/_/_/
PGP Key Available at KeyServ   _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibnitz



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:46 CDT